Breaking: autocreate new workflow for each flavour - fix passage of e…

…nv overwrites; update config to reflect usage

.github/workflows/code-quality-check.yml

@@ -9,50 +9,16 @@ on:
           JSON string with environment variables to pass to the mega-linter.
           To pass all environment variables, use toJson(env)
         required: false
-        default: "{}" # Empty JSON object
-        type: string
-      FLAVOR:
-        description: |
-          You can override MegaLinter flavor used to have faster performances
-          More info at https://megalinter.io/flavors/
-        required: false
-        default: all
+        default: '{}' # Empty JSON object
         type: string
   workflow_dispatch:
     inputs:
       JSON_ENV:
         description: |
           JSON string with environment variables to pass to the mega-linter.
         required: false
-        default: "{}" # Empty JSON object
+        default: '{}' # Empty JSON object
         type: string
-      FLAVOR:
-        description: |
-          You can override MegaLinter flavor used to have faster performances
-          More info at https://megalinter.io/flavors/
-        required: false
-        default: all
-        type: choice
-        options:
-          - all
-          - c_cpp
-          - ci_light
-          - cupcake
-          - documentation
-          - dotnet
-          - dotnetweb
-          - formatters
-          - go
-          - java
-          - javascript
-          - php
-          - python
-          - ruby
-          - rust
-          - salesforce
-          - security
-          - swift
-          - terraformg
 
   # Trigger the workflow also on push or pull request in this repository
   push:
@@ -76,10 +42,6 @@ concurrency:
   group: ${{ github.ref }}-${{ github.workflow }}
   cancel-in-progress: true
 
-env:
-  MEGALINT_VERSION: v7.10.0 # Cannot pin this version since we use multiple flavors
-  MEGALINT_FLAVOR: ${{ (inputs.FLAVOR && inputs.FLAVOR != 'all') && format('/flavors/{0}', inputs.FLAVOR) || '' }}
-
 jobs:
   check-code-quality:
     name: Run MegaLinter to check code quality
@@ -115,7 +77,7 @@ jobs:
 
       # MegaLinter
       - name: MegaLinter
-        uses: jenseng/dynamic-uses@5175289a9a87978dcfcb9cf512b821d23b2a53eb # v1
+        uses: oxsecurity/[email protected]
         id: ml
         env:
           # All available variables are described in documentation
@@ -137,10 +99,6 @@ jobs:
             }}
 
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          # You can override MegaLinter flavor used to have faster performances
-          # More info at https://megalinter.io/flavors/
-          uses: oxsecurity/megalinter${{ env.MEGALINT_FLAVOR }}@${{ env.MEGALINT_VERSION }}
 
       # Upload MegaLinter artifacts
       - name: Archive production artifacts

.github/workflows/flavors/c_cpp-code-quality-check.yml

@@ -0,0 +1,122 @@
+name: Code Quality
+# Workflow to check if project meets the code quality standards of the Biosustain group
+
+on:
+  workflow_call:
+    inputs:
+      JSON_ENV:
+        description: |
+          JSON string with environment variables to pass to the mega-linter.
+          To pass all environment variables, use toJson(env)
+        required: false
+        default: '{}' # Empty JSON object
+        type: string
+  workflow_dispatch:
+    inputs:
+      JSON_ENV:
+        description: |
+          JSON string with environment variables to pass to the mega-linter.
+        required: false
+        default: '{}' # Empty JSON object
+        type: string
+
+  # Trigger the workflow also on push or pull request in this repository
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+# Give the default GITHUB_TOKEN write permission to commit and push, comment
+# issues & post new PR; remove the ones you do not need
+permissions:
+  security-events: write
+  actions: read # Needed to run codeql/upload-sarif@v3
+  contents: write
+  issues: write
+  pull-requests: write
+  statuses: write
+
+concurrency:
+  group: ${{ github.ref }}-${{ github.workflow }}
+  cancel-in-progress: true
+
+jobs:
+  check-code-quality:
+    name: Run MegaLinter to check code quality
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Load configuration
+        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+        with:
+          repository: biosustain/code-quality-check
+          path: config
+
+      - name: Checkout Code
+        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+        with:
+          token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }}
+          path: code
+          fetch-depth: 0
+
+      - name: Set config path environment variables
+        env:
+          JSON_ENV: ${{ inputs.JSON_ENV }}
+        run: |
+          # Set the environment variables for the MegaLinter
+          echo "$JSON_ENV" | jq -r "to_entries|map(\"\(.key)=\(.value|tostring)\")|.[]" | tee -a "$GITHUB_ENV"
+          # Extend the configuration file if it exists, else use default
+          if [ -f code/.mega-linter.yml ]; then
+            # This cannot be set is there is no .mega-linter.yml in project
+            echo 'EXTENDS=../config/.mega-linter.yml' | tee -a "$GITHUB_ENV"
+          else
+            echo 'MEGALINTER_CONFIG=../config/.mega-linter.yml' | tee -a "$GITHUB_ENV"
+          fi
+
+      # MegaLinter
+      - name: MegaLinter
+        uses: oxsecurity/megalinter/flavors/${flavor}@v7.10.0
+        id: ml
+        env:
+          # All available variables are described in documentation
+          # https://megalinter.io/configuration/
+
+          # Define the reporters used in this action (not overrideable)
+          SARIF_REPORTER: true
+          MARKDOWN_SUMMARY_REPORTER: true
+
+          GITHUB_WORKSPACE: ${{ github.workspace }}/code
+          DEFAULT_WORKSPACE: ${{ github.workspace }}/code
+
+          # Validates all source when push on main, else just the git diff with
+          # main.
+          VALIDATE_ALL_CODEBASE: >
+            ${{
+              github.event_name == 'push' &&
+              contains(fromJSON('["refs/heads/main", "refs/heads/master"]'), github.ref)
+            }}
+
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      # Upload MegaLinter artifacts
+      - name: Archive production artifacts
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+        if: always() && (steps.ml.outcome == 'failure') # Only upload if MegaLinter failed
+        with:
+          name: MegaLinter reports
+          path: |
+            megalinter-reports
+            mega-linter.log
+
+      - name: Upload MegaLinter scan results to GitHub Security tab
+        continue-on-error: true # This might error if github advanced security is not enabled
+        if: always() && (steps.ml.outcome == 'failure') # Only upload if MegaLinter failed
+        uses: github/codeql-action/upload-sarif@c7f9125735019aa87cfc361530512d50ea439c71 # v3.25.1
+        with:
+          sarif_file: "megalinter-reports/megalinter-report.sarif"
+
+      - name: Show report in job summary
+        if: always() && (steps.ml.outcome == 'success' || steps.ml.outcome == 'failure') # Only show if MegaLinter ran
+        run: tee "$GITHUB_STEP_SUMMARY" < megalinter-reports/megalinter-report.md

.github/workflows/flavors/ci_light-code-quality-check.yml

@@ -0,0 +1,122 @@
+name: Code Quality
+# Workflow to check if project meets the code quality standards of the Biosustain group
+
+on:
+  workflow_call:
+    inputs:
+      JSON_ENV:
+        description: |
+          JSON string with environment variables to pass to the mega-linter.
+          To pass all environment variables, use toJson(env)
+        required: false
+        default: '{}' # Empty JSON object
+        type: string
+  workflow_dispatch:
+    inputs:
+      JSON_ENV:
+        description: |
+          JSON string with environment variables to pass to the mega-linter.
+        required: false
+        default: '{}' # Empty JSON object
+        type: string
+
+  # Trigger the workflow also on push or pull request in this repository
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+# Give the default GITHUB_TOKEN write permission to commit and push, comment
+# issues & post new PR; remove the ones you do not need
+permissions:
+  security-events: write
+  actions: read # Needed to run codeql/upload-sarif@v3
+  contents: write
+  issues: write
+  pull-requests: write
+  statuses: write
+
+concurrency:
+  group: ${{ github.ref }}-${{ github.workflow }}
+  cancel-in-progress: true
+
+jobs:
+  check-code-quality:
+    name: Run MegaLinter to check code quality
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Load configuration
+        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+        with:
+          repository: biosustain/code-quality-check
+          path: config
+
+      - name: Checkout Code
+        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+        with:
+          token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }}
+          path: code
+          fetch-depth: 0
+
+      - name: Set config path environment variables
+        env:
+          JSON_ENV: ${{ inputs.JSON_ENV }}
+        run: |
+          # Set the environment variables for the MegaLinter
+          echo "$JSON_ENV" | jq -r "to_entries|map(\"\(.key)=\(.value|tostring)\")|.[]" | tee -a "$GITHUB_ENV"
+          # Extend the configuration file if it exists, else use default
+          if [ -f code/.mega-linter.yml ]; then
+            # This cannot be set is there is no .mega-linter.yml in project
+            echo 'EXTENDS=../config/.mega-linter.yml' | tee -a "$GITHUB_ENV"
+          else
+            echo 'MEGALINTER_CONFIG=../config/.mega-linter.yml' | tee -a "$GITHUB_ENV"
+          fi
+
+      # MegaLinter
+      - name: MegaLinter
+        uses: oxsecurity/megalinter/flavors/${flavor}@v7.10.0
+        id: ml
+        env:
+          # All available variables are described in documentation
+          # https://megalinter.io/configuration/
+
+          # Define the reporters used in this action (not overrideable)
+          SARIF_REPORTER: true
+          MARKDOWN_SUMMARY_REPORTER: true
+
+          GITHUB_WORKSPACE: ${{ github.workspace }}/code
+          DEFAULT_WORKSPACE: ${{ github.workspace }}/code
+
+          # Validates all source when push on main, else just the git diff with
+          # main.
+          VALIDATE_ALL_CODEBASE: >
+            ${{
+              github.event_name == 'push' &&
+              contains(fromJSON('["refs/heads/main", "refs/heads/master"]'), github.ref)
+            }}
+
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      # Upload MegaLinter artifacts
+      - name: Archive production artifacts
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+        if: always() && (steps.ml.outcome == 'failure') # Only upload if MegaLinter failed
+        with:
+          name: MegaLinter reports
+          path: |
+            megalinter-reports
+            mega-linter.log
+
+      - name: Upload MegaLinter scan results to GitHub Security tab
+        continue-on-error: true # This might error if github advanced security is not enabled
+        if: always() && (steps.ml.outcome == 'failure') # Only upload if MegaLinter failed
+        uses: github/codeql-action/upload-sarif@c7f9125735019aa87cfc361530512d50ea439c71 # v3.25.1
+        with:
+          sarif_file: "megalinter-reports/megalinter-report.sarif"
+
+      - name: Show report in job summary
+        if: always() && (steps.ml.outcome == 'success' || steps.ml.outcome == 'failure') # Only show if MegaLinter ran
+        run: tee "$GITHUB_STEP_SUMMARY" < megalinter-reports/megalinter-report.md